| LeMod Pol 2004-08-17, 7:23 pm |
|
.... there is a default mode that enables telnet, ftp
and sendmail. We are trying to get these unused
services locked down and turned off, so when the device
comes to you it will have fewer vulnerabilities ..."
FDA reads riot act to device makers
By_Deni Connor_and_Ellen Messmer
Network World,_08/16/04
http://www.nwfusion.com/news/2004/081604fdapatch.html
AUSTIN, TEXAS - Amid growing concern about security in
hospital patient-care systems, the federal agency that
regulates medical devices last week announced a
get-tough policy to improve equipment safety.
Medical devices such as ultrasound and radiology
systems often rely on commercial off-the-shelf
software, including Windows and Unix, that requires
continuous patching for security. But increasingly,
hospital IT administrators are voicing complaints that
manufacturers are failing to patch Windows-based
equipment quickly or at all, which then fall prey to
computer worms. This not only disrupts hospital
operations but poses a potential safety hazard to
patients.
Hospitals are calling on the U.S. Food and Drug
Administration (FDA) to put pressure on manufacturers,
which by law must authorize the patch after testing it
to see if it might have a negative impact on the
medical application.
In turn, manufacturers have put the blame on hospitals,
saying they have to do a better job with security, such
as including internal firewalls and
intrusion-prevention systems.
Last week, FDA Deputy Director Brian Fitzgerald
outlined three initiatives to improve a deteriorating
security situation.
Speaking at the annual IT Conference organized by the
Department of Veterans Affairs (VA), he said the agency
won't tolerate medical-device manufacturers failing to
keep equipment up to date with security patches.
As a penalty, Fitzgerald said, the FDA will withhold
regulatory approval on equipment submitted by
manufacturers deemed to have a bad track record on
patching. "They won't be able to have certification for
new devices," he said.
This get-tough approach, which will go out in a
guidance letter, represents a sharpening in enforcement
of FDA regulations Section 510(k) and 518. Those rules
give the FDA power to set baselines for safety and
security.
The FDA also has planned two new efforts to improve
security of medical equipment. Guidelines to be issued
in the next six months will detail how the FDA expects
device manufacturers to be building and testing
"networkable, networthy medical devices," Fitzgerald
said.
Largely inspired by the Air Force medical-device
evaluation program launched last fall that's intended
to keep unpatched medical equipment off Air Force
networks, the FDA technical guide will be aimed at
helping manufacturers achieve "technical excellence,"
Fitzgerald said.
The Air Force requires device manufacturers to test
Windows, Unix, Oracle and other applications, and
adhere to a regimen of responding to patching
requirements based on security bulletins.
The third FDA regulatory effort will involve the FDA
setting up forensics capability to examine devices
infected by computer worms or other malware and track
down the culprits. In addition, the FDA will create an
investigative arm.
This idea evoked skepticism.
"Why would the FDA want to create their own G-men when
there are already a bunch of experts at the FBI at
work?" asked Steve Wexler, biomedical engineer at the
VA who helped the VA's network staff design security
for medical equipment at VA hospitals. "If someone
wants to poison a medical device, that's a criminal act
the FBI should be involved in."
Wexler is gung-ho on the FDA's other ideas.
FDA reads riot act to device makers
"The more information we can share on the existing
regulations and how to apply them is great for
everybody," he said.
Conference speakers talked of the growing security threat.
"As medical devices are networked, threat sources are
expanded, endangering all systems attached to the
network, including healthcare partners, hospital
information infrastructures, patient data and
applications," Kenneth Kizer, CEO of the National
Quality Forum, said.
Kizer described a list of problems, ranging from
anti-virus software installed by an end user on a GE
Medical Systems devices that crashed it, taking days to
restore, to the Blaster worm infecting Kodak Imaging
Systems radiography servers.
In addition, Kizer said there is the problem of the
insider threat, such as the case of Christopher Scott
Sandusky, who two years ago admitted to unlawfully
accessing the network of a Las Vegas firm, Steinberg
Diagnostic Medical Imaging, and locking the employees
out of their own system. The computer consulting
company that helped set up the Steinberg medical
imaging system had fired Sandusky.
National Quality Forum plans to hold meetings with
industry representatives to address the range of
problems, he said.
Ultimately, hospitals and manufacturers have to take
steps to do what they can to minimize security risks,
several VA officials said.
The VA has established what it calls the Health
Information Security Division (HISD) in Martinsburg,
W.Va., to test medical equipment based on commercial
off-the-shelf products. HISD is working with the
Department of Defense to publish a set of guidelines
early next year for assessing medical equipment.
Hal Haislip, WAN manager for the VA's Integrated
Service network in Little Rock, Ark., said the VA tries
to make sure unnecessary software features in both
Windows- and Unix-based medical equipment is either
turned off or removed.
"If you look at Unix devices, there is a default mode
that enables telnet, ftp and sendmail. We are trying to
get these unused services locked down and turned off,
so when the device comes to you it will have fewer
vulnerabilities," he said.
"A CT scanner doesn't need a mail client," Wexler
noted. "That's what's getting patched."
--
LP
In politics, moderation is the best policy
|